In most cases, you will not need to modify the xssfiliter.ini file settings. This section is presented for advanced users only.
The cross-site scripting (XSS) filter configuration settings are only available through the xssfilter.ini file and must be edited with a text editor. Be very careful to keep a backup of this file. If this file is corrupted, you may receive an error message when running Article Manager. You may not be able to login or use the program at all until the ini file has been fixed.
Why use a XSS filter
The problem you face: In a web content management system, your content
may come from unverified sources which can include potentially disruptive
content, usually in the form of unauthorized scripts running on your web
server. These scripts may be able to access confidential information.
This is known as Cross-Site Scripting, or XSS.
The solution we provide: XSS Filtering works by allowing users to only input known good Web page elements. These includes HTML, CSS, communication protocols and MIME types. XSS Filtering is enabled by default. It may be disabled with "disable_xss_filter = 1" in the <install dir>/exec/config.ini file.
What tags are filtered
The XSS filter removes potentially harmful HTML tags and content from
user input fields. By default the tags that are removed include forms,
scripts, embeds, objects, applets, unknown HTML tags, and other tag-like
constructs such as <%asp%> tags and <?php?> tags.
Note that the filter is done to the text entered by the user, not to the contents of the templates that you have, so that you can have scripts in your templates but still be able to filter user contents. However, in some cases your site may require the user to enter certain site-specific HTML constructs that are normally removed (e.g. <%PHP%> tags or custom markup tags). To allow those HTML, you need to modify the xssfilter.ini to allow certain tag types.
Configuring the XSS filter
On new installs, the XSS filter is enabled by default, whereas on upgrades
it is disabled by default. To enable or disable this filter, change the
"enable_xss_filter" setting in the config.ini file. XSS Filter settings
themselves are configured in the <install dir>/exec/xssfilter.ini
text file. Essentially it is a list of allowed elements. The first term
determines which type of element it is, while the second is the element
itself. To prevent an element from passing through the filter, remove
it from the list. To add an element, make a new entry for it.
If you are upgrading and adding the xssfilter.ini file, the XSS filter
is off by default. We recommend enabling the XSS filter greater security.
Before enabling it however, be certain that the tags used in your existing
user-entered content are all permitted. For example, if you have <embed>
tags already in your article content, then you need to configure the XSS
filter to permit <embed> tags and whatever attributes you are using.
Once that step is done, you can enable the XSS filter by editing the exec/config.ini
file and add the following line to the initial group of options:
enable_xss_filter = 1
[flags] Settings
These options configure some of the overall filtering actions.
Allow @import in style sheets
By default, @import is removed from stylesheets. Use this option to allow
it.
[flags][allow]
style_import=1
Allow comment tags
By default, comment tags are retained. Use this option to remove them.
Note that comments and SSI's are dealt with separately. That is, you can
remove comments but allow SSI's and vice versa.
[flags][allow]
comment_tags=1
Allow SSI tags
By default, server side include (SSI) tags are removed. Use this option
to allow them. Note that comments and SSI's are dealt with separately.
That is, you can remove SSI's but allow comments and vice versa.
[flags][allow]
ssi_tags=1
Allow unknown tags
By default, any html tag not listed in the [tags] section are removed.
If you want to allow all unknown tags, then enable this option. It is
usually better to specify each tag instead of allowing all tags. However,
if your articles will be post-processed by some other tools and the set
of tags to permit is not known ahead of time, you can use this option.
[flags][allow]
unknown_tags=1
Allow non-html tags
A non-html is defined here as "a tag that is surround by angle brackets
but the tag name begins with a non-alphanumeric." Examples of this include
<%asp%> tags and <?php?> tags. By default, non-html tags are
removed. If you want to allow all non-html tags, then enable this option.
[flags][allow]
nonhtml_tags=1
Enable UTF8 filtering
If your input text is UFT-8 encode, use this option remove invalid UTF-8
encodings.
[flags][utf8]
filter=1
[tag] Settings
This section determine which HTML tags are allowed. Tags that are not listed here will be treated as "unknown" tags (see the section [flags][allow] unknown_tags for more details).
Allow a new tag
To allow a new tag, add a line in the following format. This is the usual
way to add a new tag.
[tags][tag_name] example: allow the <page> tag [tags][page]
Disallow an existing tag
If you only want to remove a tag, but keep the content between the opening
and closing tags, add the line "handling=ignore" after the tag line.
example: disallow the <center> tag
[tags][center]
handling=ignore
Disallow a new/existing tag and its contents
If you want to remove the tag and the content between the opening and
closing tags, you need to specify the tag name and two options: "enclosing=1"
and "handling=ignore".
example: disallow the <map> tag and its contents
[tags][map]
enclosing=1
handling=ignore
Allow a new tag and its unfiltered contents
To allow a new tag and the unfiltered content between the opening and
closing tags, add the "enclosing=1" line.
example: allow the <danger> tag
[tags][danger]
enclosing=1
Note that the contents between the tags are NOT filtered,
so there is almost no reason to allow a tag this way. It is documented here
so you know what not to do. If the tag contents are formatted like a style
sheet, you can add "handling=style" to filter the contents the same way
as the "style" tag.
[tags][yourstyletag]
enclosing=1
handling=style
[attrs] Settings
This section determine which HTML tag attributes are allowed. Attributes that are not listed here will be removed. The values of permitted attributes are used as-is. If you specify an additional handling method, then the value of that attributes will also be filtered.
Note: The attribute filtering is applied to all tags. You cannot filter only the attributes of a certain tag.
Allow a new attribute
Add a line in the following format:
[attrs][attribute_name] example: allow the version attribute [attrs][version]
Disallow an existing attribute
Either remove or #comment out the associated [attrs] line from the xssfilter
file.
example: disallow the size attribute #[attrs][size]
Filter a new/existing attribute
If you want special filtering done on the attribute value, add a handling=
line after the attribute entry.
[attrs][attribute_name]
handling=style
or
handling=type
or
handling=url
| option | description |
| handling=style | Apply the "style sheet" filtering to the attribute value. You should only use this handling method with the "style" attribute. |
| handling=type | Only the specified [types] are allowed. See the [types] section for more details. |
| handling=url | Only specific types of URLs are allowed (e.g. http, ftp). See [protocols] section for more details. |
example: allow the background attribute which is an URL
[attrs][background]
handling=url
[css_attrs] Settings
This section determine which CSS attributes are allowed. Attributes that are not listed here will be removed. The values of permitted attributes are used as-is.
Note: The attribute filtering is applied to all CSS tags. You cannot filter only the attributes of a certain tag.
Allow a new attribute
Add a line in the following format:
[css_attrs][attribute_name]
example: allow the font-stretch attribute [css_attrs][font-stretch]
Disallow an existing attribute
Either remove or #comment out the associated [css_attrs] line from the
xssfilter file.
[protocols] Settings
This section determines which protocols (e.g. http) are allowed in URLs. URLs that begin with protocols not listed here will be removed.
Allow a new protocol
Add a line in the following format:
[protocols][protocol_name] example: allow links to use telnet (e.g. href="telnet://www.yoursite.com") [protocols][telnet]
Disallow an existing protocol
Remove or #comment out the associated [protocols] line from the xssfilter
file.
[types] Settings
This section determines which "type" values are allowed for the TYPE attribute. Note that the TYPE attribute is used for several different purposes. The single-letter and single-digit values are used in lists, and are generally safe. The MIME-types are the ones you should be careful of.
Allow a new type
Add a line in the following format:
[types][mime_type] example: add media/MP3 as a MIME-type [types][media/MP3]
Disallow an existing protocol
Remove or #comment out the associated [types] line from the xssfilter
file.